Ransomware Variant XTBL Another Example of Popular Malware

By and on

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers have used various social engineering tricks to distribute these samples disguised as a document (.pdf, .doc, .xls, etc.) file via double-extension trick to lure users into opening the file.

A sample spam email may look like this:


We analyzed XTBL and found it does the following:

  • Encrypts and deletes all user files including executables.
  • Deletes all backup copies.
  • Adds self-copies for rerunning.
  • Demands ransom.

After its activity, XTBL sets wallpaper as below:



In our static analysis of the malware sample, we found that it holds some encrypted data in its overlay. Upon execution, it decrypts this data, an executable, and injects it into its own subprocess.


This injected component is used for further infection. It decrypts all configuration information required for its infection. The information it contains:

  • RSA key size (first 4-byte group).
  • RSA key followed by key size.


  • RSA exponent:


  • Mail ID, where all information is sent:


  • “Magic” number used:
    • 006VGL (6 bytes). We have observed that each variant uses a different magic number though the pattern remains same, for example, 00{number}[A-Z]{3}.
  • Name of mutex created:
    • Global\snc_{filename}
  • Path to exclude from encryption:
    • %windir%
  • Files to exclude from encryption:
    • Svchost.exe
    • Explorer.exe
    • Boot.ini
  • Name of dropped components:
    • How to decrypt your files.txt.
    • DECRYPT.jpg
    • %desktop%\Log.txt
  • For persistence the malware drops its copy in %windir% and %appdata% and creates a run entry:
    • Software\Microsoft\Windows\CurrentVersion\Run

It also sends 159 bytes of data to the host:


This data contains the victim’s computer name, globally unique identifier, user ID, and magic number:


This injected file creates a separate thread for each drive. Each of these threads creates a further four threads responsible for:

  • Traversing directory
  • Renaming file
  • File encryption
  • Deleting original file

This ransomware family uses the CreateFileW API in nonshare mode as an antidebugging technique.


We found several steps for encrypting files.

Key generation

20 bytes of space is allocated for creating the key, which is generated using two sources, _ftime64()and Rand(), as shown:


The key is generated:

  • Dword_42C0A4 = Dword_42C0A4 ^ (1000*ms)
  • Dword_42C0A8 = Dword_42C0A4 ^ ((1000*ms) | data)
  • Dword_42C0AC = Dword_42C0A8 ^ rand ()
  • Dword_42C0B0 = Dword_42C0B0 ^ 0 i.e. 0

The key may look like this:


The ransomware computes the MD5 hash of 20 bytes of the generated key to get 16 bytes of data.


These 16 bytes will be used to encrypt the generated key using the RC4 algorithm.

To summarize, key is generated using following pseudocode:

  • Data = ([epochs]) ([ms*1000]) ([rand()]) ([0000])
  • Key = RC4(md5(Data),Data)

The key is encrypted using an RSA key in the configuration information.


File encryption

Files are encrypted using the AES256 algorithm.


Original files will be deleted after encryption and encrypted files will be renamed as follows:

  • Filename.ID{Id}.mail_address.XTBL


Each of the encrypted files is appended with data that holds some important fields:

  • Encrypted filename
  • Magic number (6 bytes)
  • Randomly generated initial vector for each file (10 bytes)
  • Padding (10 bytes)
  • RSA block (80 bytes)


List of Domains

  • bebgimeozel.com
  • dd24.net
  • rrpproxy.net
  • key-systems.net
  • tuginsaat.com

How to prevent this infection

We advise all users to be careful when opening unsolicited emails and clicking unknown links. We strongly advise all users to block the preceding domain names.

McAfee products detect these XTBL variants as Ransom-XTBL-FUL!<partial-md5> and Ransom-XTBL-FUM!<partial-md5>.

This post was prepared with the invaluable assistance of Rakesh Sharma and G N Sivagnanam.


Analyzed samples (SHA-1)

  • E3AA4A3882FED182986A642F05B3711156CA5354: injected component
  • A07A1660EBD71BFF4B640665208D2ADE51791E69: attachment


Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog